CVE-2022-1495: 
vulnerability analysis and mitigation

CVE-2022-1495 is a security vulnerability discovered in Google Chrome on Android prior to version 101.0.4951.41. The vulnerability was reported by Umar Farooq on February 28, 2022, and involves incorrect security UI implementation in the Downloads feature that could allow a remote attacker to spoof the APK downloads dialog through a crafted HTML page (Chrome Release, NVD).

The vulnerability has been assigned a CVSS v3.1 Base Score of 4.3 (MEDIUM) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N. It is classified under CWE-290 (Authentication Bypass by Spoofing). The vulnerability affects Google Chrome on Android devices running versions prior to 101.0.4951.41 (NVD).

The vulnerability could allow remote attackers to spoof the APK downloads dialog, potentially misleading users about the nature or origin of downloaded applications. This could lead to users inadvertently installing malicious applications thinking they are legitimate (NVD).

The vulnerability was patched in Google Chrome version 101.0.4951.41. Users are advised to update their Chrome browser to this version or later to mitigate the risk (Chrome Release, Gentoo Advisory).